Microsoft Internet Explorer Buffer Overflow in Processing SMB Share Names Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1009939|
SecurityTracker URL: http://securitytracker.com/id/1009939
(Links to External Site)
Updated: Apr 26 2004|
Original Entry Date: Apr 26 2004
Denial of service via network, Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
A buffer overflow vulnerability was reported in Microsoft Windows Explorer and Internet Explorer. A remote user with control of a network share can cause a target user's browser to crash when connecting to the network share.|
Rodrigo Gutierrez reported that a remote user with control of an SMB share can set a specially crafted share name so that when a target user attempts to connect to the SMB share, the target user's browser will crash or execute arbitrary code.
According to the report, Microsoft ostensibly fixed this flaw in Windows XP SP1 and Windows 2000 SP4 after being notified by Rodrigo Gutierrez in early 2002, as described in the Microsoft KB article 322857:
However, the report indicates that the problem was not properly fixed.
A demonstration exploit is provided in the Source Message.
A remote user can cause a target user's browser to crash or execute arbitrary code when the target user attempts to connect to a malicious SMB share. The arbitrary code will execute with the privileges of the target user.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)|
|Underlying OS Comments: Windows 2003 not affected|
Source Message Contents
Date: Sun, 25 Apr 2004 18:01:53 -0400|
Subject: [Full-Disclosure] Microsoft's Explorer and Internet Explorer long share name buffer overflow.
This is a multi-part message in MIME format.
Microsoft Explorer and Internet Explorer Long Share Name Buffer =
Author: Rodrigo Gutierrez <email@example.com>
Affected: MS Internet Explorer, MS Explorer (explorer.exe)=20
Windows XP(All), Windows 2000(All), Windows 98(All), Windows =
Not Tested: Windows 2003
Vendor Status: i notified the vendor in the beginning of 2002, this
vulnerability was supposed to be fixed in xp service
pack 1 in XP and SP4 in Windows 2000 according to the=20
vendors knowledge base article 322857.
Vendor url: =
MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are=20
core pieces of Microsoft Windows Operating Systems.
Windows fails to handle long share names when accessing a remote=20
file server such as samba, allowing a malicious server to crash the=20
clients explorer and eventually get to execute arbitrary code in the=20
machine as the current user (usually with Administrator rights in =
In order to exploit this, an attacker must be able to get a user to =
to a malicious server which contains a share name equal or longer than =
windows wont allow you to create such a long share, but of course samba=20
includes the feature ;). After your samba box is up and running create =
share in you smb.conf :
#------------ CUT HERE -------------
comment =3D Area 51
path =3D /tmp/testfolder
public =3D yes
writable =3D yes
printable =3D no
browseable =3D yes
write list =3D @trymywingchung
#------------ CUT HERE -------------
After your server is up, just get to your windows test box and get to =
start menu > run > \\your.malicious.server.ip., plufff, explorer will =
<a href=3D"\\my.malicious.server.ip">Enter My 0day sploit archive =
>From your network card settings disable the client for Microsoft =
until a real fix for this vulnerability is available.
Full-Disclosure - We believe in it.